Reputation: 49
Verify incoming registration data
I've written an android app that requires users to register online. Is there a way to ensure incoming JSON registration data originated from my app? Thanks.
Upvotes: 1
Views: 72
Answers (3)
Reputation: 113
You can generate a random hash and/or a validator/verification hash (e.g. like a public key)
The easiest form: Your app stores the hash, including an expiration time, eg a few minutes. Send the verification hash to the user to be added with the registration. So only your app can generate the tokens. e.g:
$token = bin2hex(openssl_random_pseudo_bytes(16));
// or
$token = bin2hex(random_bytes(16));
If you don't know the incomming hash a different thing trys to register.
Upvotes: 0
Reputation: 75629
Is there a way to ensure incoming JSON registration data originated from my app?
Well, Yes and No :)
Yes
When you expose API to the internet, you usually do not want anyone to talk to it. Therefore first wall most APIs use is client token that you may show you hold while using API calls. Some API wants that to be sent with each request (i.e. with header), other wants you to show it while authenticating your user like oauth based APIs. Yet another may give you secret string and ask you to i.e. hash your request payload (i.e. JSON) with your secret all together and include result checksum in request. In that case API does the same once your request arrives to the backend and as it knows your secret string it can do the same hashing to ensure checksum you sent matches. So if you have such mechanism, you should be able to tell which client (software) is talking to you and if it's allowed to do that or not. If you do not have it implemented, then I'd just add it (this additionally would let you ban certain clients (i.e. old, outdated version of your apps) if needed by simply blacklisting their "secret"/tokens.
No
Unfortunately all of these keys, secrets etc I mentioned are part of the client which in case of app are usually included in app binary and as binaries must be released to the public therefore its content cannot be considered fully secret as with some work it can be extracted out it and then used to fake requests on behalf of that app. And telling if the call is from original code or sent by impostor is unfortunately is impossible.
Upvotes: 2
Reputation: 353
Write this Auth function in your api controller.
protected function Auth($id,$token){
if(!empty($id) and !empty($token)){
$user = DB::table('users')->where('id',$id)
->where('token',$token)->count();
if($user == 1){
return true;
}else{
return false;
}
}else{
return false;
}}
While login for the first time use this method to store a random hash as your user's token.(Store this token in your users table as key=>token)
$randomString = $this->random_hash();
And while taking input from any api request id and access_token for that user.
$auth = $this->Auth($id,$access_token);
if($auth == 1)then you can proceed with your function.
Upvotes: 0
Related Questions
- How to validate the user login credentials in android using PHP, MySql with the help of json
- Check authenticity of user Using aadhar card number
- how to verify login input with database php MySQL
- Register Form Android Studio
- Android Register Form with PHP and MySQL
- Login Validation in android.
- Verify User from Android on Server-Side
- Android Billing-in App version 3 verify in server
- Sending data from Android to php webservice to validate Login
- How do I verify Android in-app-billing transactions on MY server?